HAProxy community

Force Haproxy to send client certificate if server client-CA list does not contain matching CA

Hi All,

Im trying to set up haproxy as a forward proxy that adds a client certificate to authenticate against a backend.

This backend server does not present the correct CA list to haproxy, the client certificate comes from another CA. The backend is a PaaS and they do not have control over the CA’s presented.
On Apache HTTPD mod_proxy I solved this by setting my own list of CA’s using ‘SSLProxyMachineCertificateChainFile’ sort of faking the acceptable CA list.

How can I get haproxy to send the configured certificate to the backend? from the documentation I figured it would send the “default” or first configured certificate.
How can I set the log to a level where it shows me trying to send the client certificate or not? this is not visible now?

Any help would be apreciated!

Configuration:

listen c4-stedin-o
bind 0.0.0.0:8003
# Enable trace logging:
filter trace hexdump random-parsing random-forwarding
acl network_allowed src 127.0.0.1
acl correct_host hdr(host) -i host
http-request deny if !correct_host

    default-server ca-file /etc/ssl/cert.pem ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256
    default-server ssl sni req.hdr(host) check crt /usr/local/etc/config-secret/certificate.pem

    http-request set-header X-Forwarded-Proto https
    use-server c4_backend if { hdr(host) -i host }
    server c4_backend host:443

HAProxy log:

│ 2020-07-27T15:50:06.021536123Z 1595865006.021443 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064035 0x00000000] trace_attach : filter-type=frontend │
│ 2020-07-27T15:50:06.021569326Z 1595865006.021443 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064035 0x00000000] trace_stream_start │
│ 2020-07-27T15:50:06.021574327Z 1595865006.021443 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064035 0x00000000] trace_chn_start_analyze : channel=REQUEST - mode=HTTP (frontend) │
│ 2020-07-27T15:50:06.021578327Z 1595865006.021443 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064034 0x00000000] trace_chn_analyze : channel=REQUEST - mode=HTTP (frontend) - analyzer=AN_REQ_WAIT_HTTP - step=PRE │
│ 2020-07-27T15:50:06.073696653Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064034 0x00000000] trace_chn_analyze : channel=REQUEST - mode=HTTP (frontend) - analyzer=AN_REQ_WAIT_HTTP - step=PRE │
│ 2020-07-27T15:50:06.073813962Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064030 0x00000000] trace_chn_analyze : channel=REQUEST - mode=HTTP (frontend) - analyzer=AN_REQ_WAIT_HTTP - step=POST │
│ 2020-07-27T15:50:06.073835464Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064030 0x00000000] trace_chn_analyze : channel=REQUEST - mode=HTTP (frontend) - analyzer=AN_REQ_HTTP_PROCESS_FE - step=PRE │
│ 2020-07-27T15:50:06.073869667Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064020 0x00000000] trace_chn_analyze : channel=REQUEST - mode=HTTP (frontend) - analyzer=AN_REQ_HTTP_PROCESS_FE - step=POST │
│ 2020-07-27T15:50:06.073878267Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064020 0x00000000] trace_chn_analyze : channel=REQUEST - mode=HTTP (frontend) - analyzer=AN_REQ_SWITCHING_RULES - step=PRE │
│ 2020-07-27T15:50:06.073885268Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064000 0x00000000] trace_stream_set_backend : backend=c4-stedin-o │
│ 2020-07-27T15:50:06.073892268Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064c00 0x00000000] trace_chn_analyze : channel=REQUEST - mode=HTTP (backend) - analyzer=AN_REQ_SWITCHING_RULES - step=POST │
│ 2020-07-27T15:50:06.073899669Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064c00 0x00000000] trace_chn_analyze : channel=REQUEST - mode=HTTP (backend) - analyzer=AN_REQ_SRV_RULES - step=PRE │
│ 2020-07-27T15:50:06.07390697Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064800 0x00000000] trace_chn_analyze : channel=REQUEST - mode=HTTP (backend) - analyzer=AN_REQ_SRV_RULES - step=POST │
│ 2020-07-27T15:50:06.07391387Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00064800 0x00000000] trace_chn_analyze : channel=REQUEST - mode=HTTP (backend) - analyzer=AN_REQ_HTTP_INNER - step=PRE │
│ 2020-07-27T15:50:06.073923971Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x0004c000 0x00000000] trace_chn_analyze : channel=REQUEST - mode=HTTP (backend) - analyzer=AN_REQ_HTTP_INNER - step=POST │
│ 2020-07-27T15:50:06.073931372Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x0004c000 0x00000000] trace_http_headers : channel=REQUEST - mode=HTTP (backend) GET http://host/http/aansluitingsSync
│ 2020-07-27T15:50:06.073938572Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x0004c000 0x00000000] host: host │
│ 2020-07-27T15:50:06.073944473Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x0004c000 0x00000000] user-agent: curl/7.64.1 │
│ 2020-07-27T15:50:06.073950573Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x0004c000 0x00000000] accept: /
│ 2020-07-27T15:50:06.073956474Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x0004c000 0x00000000] proxy-connection: Keep-Alive │
│ 2020-07-27T15:50:06.073963474Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x0004c000 0x00000000] x-forwarded-proto: https │
│ 2020-07-27T15:50:06.073969675Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x00000000] trace_http_payload : channel=REQUEST - mode=HTTP (backend) - offset=250 - len=1 - forward=1 │
│ 2020-07-27T15:50:06.073976475Z 1595865006.073556 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x00000000] trace_http_end : channel=REQUEST - mode=HTTP (backend) │
│ 2020-07-27T15:50:06.113281562Z 1595865006.112851 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x33580000] trace_chn_start_analyze : channel=RESPONSE - mode=HTTP (backend) │
│ 2020-07-27T15:50:06.113442275Z 1595865006.112851 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x33400000] trace_chn_analyze : channel=RESPONSE - mode=HTTP (backend) - analyzer=AN_RES_WAIT_HTTP - step=PRE │ │
│ 2020-07-27T15:50:06.13729941Z 127.0.0.1:59956 [27/Jul/2020:15:50:06.073] c4-stedin-o c4-stedin-o/c4_backend 0/0/39/23/62 401 249 - - ---- 5/1/0/0/0 0/0 “GET http://host/http/aansluitingsSynchronisatieBericht HTTP/1.1” │
│ 2020-07-27T15:50:06.137246205Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x33400000] trace_chn_analyze : channel=RESPONSE - mode=HTTP (backend) - analyzer=AN_RES_WAIT_HTTP - step=PRE │
│ 2020-07-27T15:50:06.137321411Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x33000000] trace_chn_analyze : channel=RESPONSE - mode=HTTP (backend) - analyzer=AN_RES_WAIT_HTTP - step=POST │
│ 2020-07-27T15:50:06.137325412Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x33000000] trace_chn_analyze : channel=RESPONSE - mode=HTTP (backend) - analyzer=AN_RES_HTTP_PROCESS_FE/BE - step=PRE │
│ 2020-07-27T15:50:06.137329012Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x26000000] trace_chn_analyze : channel=RESPONSE - mode=HTTP (backend) - analyzer=AN_RES_HTTP_PROCESS_FE/BE - step=POST │
│ 2020-07-27T15:50:06.137332512Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x26000000] trace_http_headers : channel=RESPONSE - mode=HTTP (backend) HTTP/1.1 401 │
│ 2020-07-27T15:50:06.137335913Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x26000000] x-message-code: PWD_WRONG │
│ 2020-07-27T15:50:06.137339513Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x26000000] www-authenticate: Basic realm=“SAP HANA Cloud Platform” │
│ 2020-07-27T15:50:06.137342913Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x26000000] transfer-encoding: chunked │
│ 2020-07-27T15:50:06.137346113Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x26000000] date: Mon, 27 Jul 2020 15:50:06 GMT │
│ 2020-07-27T15:50:06.137349214Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x26000000] server: SAP │
│ 2020-07-27T15:50:06.137353314Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x26000000] strict-transport-security: max-age=31536000; includeSubDomains; preload │
│ 2020-07-27T15:50:06.137356514Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x24000000] trace_http_payload : channel=RESPONSE - mode=HTTP (backend) - offset=247 - len=2 - forward=2 │
│ 2020-07-27T15:50:06.137363615Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00048000 0x24000000] trace_http_end : channel=RESPONSE - mode=HTTP (backend) │
│ 2020-07-27T15:50:06.137369415Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00040000 0x20000000] trace_chn_end_analyze : channel=REQUEST - mode=HTTP (backend) │
│ 2020-07-27T15:50:06.137387117Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00040000 0x20000000] trace_chn_end_analyze : channel=RESPONSE - mode=HTTP (backend) │
│ 2020-07-27T15:50:06.137392617Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00000000 0x00000000] trace_stream_stop │
│ 2020-07-27T15:50:06.137397117Z 1595865006.135480 [TRACE/c4-stedin-o ] [strm 0x556ecc6ab2e0(34d) 0x00000000 0x00000000] trace_detach : filter-type=frontend

crt /usr/local/etc/config-secret/certificate.pem

This means this certificate will be sent. I’m not aware haproxy even considers the ca-list.

If you want to check, capture the SSL traffic and review it in wireshark.